Saturday, November 17, 2018

Configure Port Forwarding on a Cisco ASA Firewall

If there's a Cisco router behind an ASA firewall that you need to remotely access over the Internet, you can configure port forwarding on the ASA firewall (using its public WAN/outside IP). This is very useful in scenarios when there's no remote tech to provide console access and you need to establish (and troubleshoot) a site-to-site IPSec VPN back to your HQ.



ASA# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0        200.1.1.50     YES CONFIG up                    up             // outside WAN
GigabitEthernet0/1         192.168.0.229    YES CONFIG up                    up      // inside LAN
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
Management0/0              192.168.128.3    YES CONFIG up                    up 
 

You'll need to configure a NAT statement that will map the WAN IP of the router to the outside IP of the ASA (if you're only given a single public IP). This is commonly called port forwarding. You can map the inside service of Telnet TCP port 23 to a static port 2323 when accessing it from the outside (Internet). Make sure Telnet is allowed on the firewall outside ACL.

object network OBJ-ROUTER
 host 192.168.0.230
 nat (inside,outside) static interface service tcp 23 2323


If you need dynamic NAT/PAT for the inside users, use the after-auto key word (to put it in Section 3).

object network OBJ-LAN
 subnet 192.168.0.0 255.255.0.0
 nat (inside,outside) static after-auto source dynamic any interface


You also need a NAT statement (Identity NAT) for the router's WAN IP to be exempted from being translated by the firewall and avoid the rpf-check error when you do a packet-tracer.

object network OBJ-192.168.0.230
 host 192.168.0.230
 nat (inside,outside) static 192.168.0.230


You could either Telnet (using port 2323) from the HQ router or use a terminal emulator program (over the Internet).

HQ-RTR# telnet 200.1.1.50 2323
Trying 200.1.1.50, 2323 ... Open


User Access Verification

Password:
BRANCH-RTR>



You can verify hits on the firewall NAT and ACL using ASA commands below.

ASA# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static OBJ-192.168.0.230 OBJ-192.168.0.230     // IDENTITY NAT
    translate_hits = 1042, untranslate_hits = 7
2 (inside) to (outside) source static OBJ-ROUTER interface  service tcp telnet 2323    // PORT FORWARDING
    translate_hits = 0, untranslate_hits = 33

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface        // PAT
    translate_hits = 23877, untranslate_hits = 12204


ASA# show access-list                    
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE; 5 elements; name hash: 0x6045359
access-list OUTSIDE line 1 extended permit icmp any any (hitcnt=0) 0xdfa29219
access-list OUTSIDE line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x8fa50f18
access-list OUTSIDE line 3 extended permit icmp any any unreachable (hitcnt=0) 0x23f941a7
access-list OUTSIDE line 4 extended permit tcp any any telnet (hitcnt=1) 0x2e855ed6


Once the remote access to the router and IPSec VPN tunnel to your HQ has been established, you'll need to lock down the firewall ACL.

ROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         unassigned      YES TFTP   up                    up 
GigabitEthernet0/0     192.168.128.1    YES manual up                    up 
GigabitEthernet0/1         192.168.0.230    YES NVRAM  up                    up 
Tunnel123                 192.168.0.201    YES NVRAM  up                    up

ROUTER#show run interface tunnel123
Building configuration...

Current configuration : 208 bytes
!
interface Tunnel123
 ip address 192.168.0.201 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 192.168.0.230
 tunnel destination 192.168.0.158
end

ROUTER#ping 192.168.0.158 source 192.168.0.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.158, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.230
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/24 ms

ROUTER#ping 192.168.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

Posted by at No comments:

Saturday, October 6, 2018

Configuring terminal width on a Cisco ASA Firewall

There are times you got a very long hostname or context hostname configured on a Cisco ASA firewall (or any Cisco device) and it hides the commands being typed. The $ in CLI means the displayed output is maxed out. You can override the default terminal width to extend the CLI output.


ciscoasa/pri/act/CONTEXT-ABC(config-network-object)# nat (CONTEXT-INT,outside) $

ciscoasa/pri/act/admin(config)# terminal width ?

configure mode commands/options:
  0         Specify this value to set the maximum permitted width
  <40-511>  Terminal width columns, default is 80

ciscoas/pri/act/admin(config)# terminal width 120

ciscoasa/pri/act/CONTEXT-ABC# show terminal

Width = 120, no monitor

ciscoasa/pri/act/CONTEXT-ABC# configure terminal
ciscoasa/pri/act/CONTEXT-ABC(config)# nat(CONTEXT-INT,outside)11111111111111111111111111111111111111111111111111$


You can also use the terminal pager 0 privileged command to spit out the whole configuration output in one go (without hitting the spacebar). This is the equivalent of terminal length 0 in an IOS router.

ciscoasa# terminal ?

  interactive  enable '?' as help
  monitor      Syslog monitor
  no           Turn off syslogging to this terminal
  pager        Control page length for pagination. The page length set here is
               not saved to configuration.

ciscoasa# terminal pager ?

  <0-2147483647>  Pager lines, 0 means no page-limit
  lines           The number following this keyword determines the number of
                  lines in a page before ---more--- prompt appears, default is
                  24ciscoasa# terminal pager 0
Posted by at No comments:

Friday, September 14, 2018

Cisco Commerce Workspace (CCW)

There's an online tool called Cisco Commerce Workspace (CCW) which quickly gives an estimate price (in US Dollars) on various Cisco products. This would aid Cisco reseller, IT and Project Managers create quotes and build their Bill of Materials (BOM). You can access the CCW tool by going to Cisco.com > Partners > Partner Tools > Deals, Quotes, Orders (CCW). A CCO login is required and here's a useful user guide for this tool.




Type under Search for Product or SKU (in this case ASA5525)



Click + to add item.

The main difference between a K8 and K9 device is the encryption license support. The K8 bundle supports a "weak" or base encryption license (DES) swhile K9 bundle supports a stronger encryption license (3DES/AES).



Clicked + on ASA5525-K9 and the selected item will appear on the right.



Click + on L-ASA-SC-5= (5 Security Context License) then click Add on the right in order to check out and CCW will give an estimated total price.




To perform a search again, click Find Products & Solutions.



To remove an item, click under a specific item > More Actions > Remove Line.


Posted by at No comments:
Subscribe to: Comments (Atom)